From d79043b220f9fd0464f95015f0c211d3ab1cc239 Mon Sep 17 00:00:00 2001 From: Aditya948351 Date: Wed, 20 May 2026 10:48:22 +0530 Subject: [PATCH 1/6] feat: add CodeQL, ZAP, Gitleaks workflows and Dependabot config --- .github/dependabot.yml | 16 +++++++++++ .github/workflows/codeql.yml | 41 ++++++++++++++++++++++++++++ .github/workflows/gitleaks.yml | 20 ++++++++++++++ .github/workflows/zap-api-scan.yml | 44 ++++++++++++++++++++++++++++++ 4 files changed, 121 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/gitleaks.yml create mode 100644 .github/workflows/zap-api-scan.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..1f70c8fd --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..09f03b33 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,41 @@ +name: "CodeQL" + +on: + push: + branches: [ "master", "main" ] + pull_request: + branches: [ "master", "main" ] + schedule: + - cron: '30 2 * * 1' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + queries: security-extended,security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 00000000..a80d9f63 --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,20 @@ +name: Gitleaks +on: + push: + branches: [ "master", "main" ] + pull_request: + branches: [ "master", "main" ] + +jobs: + scan: + name: Secret Scanning + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false + GITLEAKS_ENABLE_SUMMARY: true diff --git a/.github/workflows/zap-api-scan.yml b/.github/workflows/zap-api-scan.yml new file mode 100644 index 00000000..c9982bc6 --- /dev/null +++ b/.github/workflows/zap-api-scan.yml @@ -0,0 +1,44 @@ +name: "OWASP ZAP API Scan" + +on: + push: + branches: [ "master", "main" ] + pull_request: + branches: [ "master", "main" ] + +jobs: + zap_scan: + runs-on: ubuntu-latest + name: Scan the webapplication + steps: + - name: Checkout + uses: actions/checkout@v4 + + # Next.js app needs to be built and served to be scanned locally + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + - name: Install dependencies + run: npm ci + + - name: Build Next.js + run: npm run build + + - name: Start Next.js in background + run: npm run start & + env: + PORT: 3000 + + - name: Wait for server to start + run: sleep 10 + + - name: ZAP Baseline Scan + uses: zaproxy/action-baseline@v0.12.0 + with: + target: 'http://localhost:3000' + fail_action: false # Set to true to fail the build on vulnerabilities + rules_file_name: '.zap/rules.tsv' + cmd_options: '-a' From 97e76c179b10b692b5f6b083b181e8cbc8d41965 Mon Sep 17 00:00:00 2001 From: Aditya948351 Date: Wed, 20 May 2026 10:57:49 +0530 Subject: [PATCH 2/6] fix: mock firebase env vars in ZAP scan to prevent build failure --- .github/workflows/zap-api-scan.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/zap-api-scan.yml b/.github/workflows/zap-api-scan.yml index c9982bc6..311a5871 100644 --- a/.github/workflows/zap-api-scan.yml +++ b/.github/workflows/zap-api-scan.yml @@ -26,11 +26,24 @@ jobs: - name: Build Next.js run: npm run build + env: + NEXT_PUBLIC_FIREBASE_API_KEY: "mock_api_key" + NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN: "mock.firebaseapp.com" + NEXT_PUBLIC_FIREBASE_PROJECT_ID: "mock_project_id" + NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET: "mock.appspot.com" + NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID: "123456789" + NEXT_PUBLIC_FIREBASE_APP_ID: "1:123456789:web:abcdef" - name: Start Next.js in background run: npm run start & env: PORT: 3000 + NEXT_PUBLIC_FIREBASE_API_KEY: "mock_api_key" + NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN: "mock.firebaseapp.com" + NEXT_PUBLIC_FIREBASE_PROJECT_ID: "mock_project_id" + NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET: "mock.appspot.com" + NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID: "123456789" + NEXT_PUBLIC_FIREBASE_APP_ID: "1:123456789:web:abcdef" - name: Wait for server to start run: sleep 10 From 742aa4bc5a2d11b0c0b515b3d270f6b0f0c0120b Mon Sep 17 00:00:00 2001 From: Aditya948351 Date: Wed, 20 May 2026 11:01:48 +0530 Subject: [PATCH 3/6] fix: run static export server and remove missing rules file for ZAP --- .github/workflows/zap-api-scan.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/zap-api-scan.yml b/.github/workflows/zap-api-scan.yml index 311a5871..e9ff6c6e 100644 --- a/.github/workflows/zap-api-scan.yml +++ b/.github/workflows/zap-api-scan.yml @@ -35,7 +35,7 @@ jobs: NEXT_PUBLIC_FIREBASE_APP_ID: "1:123456789:web:abcdef" - name: Start Next.js in background - run: npm run start & + run: npx serve@latest out -l 3000 & env: PORT: 3000 NEXT_PUBLIC_FIREBASE_API_KEY: "mock_api_key" @@ -52,6 +52,5 @@ jobs: uses: zaproxy/action-baseline@v0.12.0 with: target: 'http://localhost:3000' - fail_action: false # Set to true to fail the build on vulnerabilities - rules_file_name: '.zap/rules.tsv' + fail_action: false cmd_options: '-a' From 327b40e5eb140a03583b7365b76ad2259cf15677 Mon Sep 17 00:00:00 2001 From: Aditya948351 Date: Wed, 20 May 2026 11:05:54 +0530 Subject: [PATCH 4/6] fix: grant issue write permissions to ZAP scan so it can report findings --- .github/workflows/zap-api-scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/zap-api-scan.yml b/.github/workflows/zap-api-scan.yml index e9ff6c6e..a1a3f2eb 100644 --- a/.github/workflows/zap-api-scan.yml +++ b/.github/workflows/zap-api-scan.yml @@ -10,6 +10,9 @@ jobs: zap_scan: runs-on: ubuntu-latest name: Scan the webapplication + permissions: + contents: read + issues: write steps: - name: Checkout uses: actions/checkout@v4 From 07dbaf661df1893f532ffaf55b70527967a9cb02 Mon Sep 17 00:00:00 2001 From: Aditya948351 Date: Wed, 20 May 2026 11:11:51 +0530 Subject: [PATCH 5/6] feat: replace OWASP ZAP with Nuclei security scanner --- .github/workflows/nuclei-scan.yml | 72 ++++++++++++++++++++++++++++++ .github/workflows/zap-api-scan.yml | 59 ------------------------ 2 files changed, 72 insertions(+), 59 deletions(-) create mode 100644 .github/workflows/nuclei-scan.yml delete mode 100644 .github/workflows/zap-api-scan.yml diff --git a/.github/workflows/nuclei-scan.yml b/.github/workflows/nuclei-scan.yml new file mode 100644 index 00000000..4d27c3fc --- /dev/null +++ b/.github/workflows/nuclei-scan.yml @@ -0,0 +1,72 @@ +name: "Nuclei Security Scan" + +on: + push: + branches: [ "master", "main" ] + pull_request: + branches: [ "master", "main" ] + +jobs: + nuclei-scan: + runs-on: ubuntu-latest + name: Nuclei API & Web Security Scan + permissions: + contents: read + issues: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + - name: Install dependencies + run: npm ci + + - name: Build Next.js (static export) + run: npm run build + env: + NEXT_PUBLIC_FIREBASE_API_KEY: "mock_api_key" + NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN: "mock.firebaseapp.com" + NEXT_PUBLIC_FIREBASE_PROJECT_ID: "mock_project_id" + NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET: "mock.appspot.com" + NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID: "123456789" + NEXT_PUBLIC_FIREBASE_APP_ID: "1:123456789:web:abcdef" + + - name: Serve static build + run: npx serve@latest out -l 3000 & + + - name: Wait for server to be ready + run: | + for i in {1..15}; do + curl -s http://localhost:3000 > /dev/null && echo "Server is up!" && break + echo "Waiting for server... ($i)" + sleep 2 + done + + - name: Install Nuclei + run: | + wget -q https://github.com/projectdiscovery/nuclei/releases/download/v3.3.8/nuclei_3.3.8_linux_amd64.zip + unzip -q nuclei_3.3.8_linux_amd64.zip + sudo mv nuclei /usr/local/bin/ + nuclei -version + + - name: Run Nuclei Scan + run: | + nuclei -u http://localhost:3000 \ + -tags exposure,misconfig,headers,tech \ + -severity low,medium,high,critical \ + -o nuclei-results.txt \ + -no-color || true + + - name: Upload Nuclei Results + uses: actions/upload-artifact@v4 + if: always() + with: + name: nuclei-security-report + path: nuclei-results.txt + retention-days: 30 diff --git a/.github/workflows/zap-api-scan.yml b/.github/workflows/zap-api-scan.yml deleted file mode 100644 index a1a3f2eb..00000000 --- a/.github/workflows/zap-api-scan.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: "OWASP ZAP API Scan" - -on: - push: - branches: [ "master", "main" ] - pull_request: - branches: [ "master", "main" ] - -jobs: - zap_scan: - runs-on: ubuntu-latest - name: Scan the webapplication - permissions: - contents: read - issues: write - steps: - - name: Checkout - uses: actions/checkout@v4 - - # Next.js app needs to be built and served to be scanned locally - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: '20' - cache: 'npm' - - - name: Install dependencies - run: npm ci - - - name: Build Next.js - run: npm run build - env: - NEXT_PUBLIC_FIREBASE_API_KEY: "mock_api_key" - NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN: "mock.firebaseapp.com" - NEXT_PUBLIC_FIREBASE_PROJECT_ID: "mock_project_id" - NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET: "mock.appspot.com" - NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID: "123456789" - NEXT_PUBLIC_FIREBASE_APP_ID: "1:123456789:web:abcdef" - - - name: Start Next.js in background - run: npx serve@latest out -l 3000 & - env: - PORT: 3000 - NEXT_PUBLIC_FIREBASE_API_KEY: "mock_api_key" - NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN: "mock.firebaseapp.com" - NEXT_PUBLIC_FIREBASE_PROJECT_ID: "mock_project_id" - NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET: "mock.appspot.com" - NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID: "123456789" - NEXT_PUBLIC_FIREBASE_APP_ID: "1:123456789:web:abcdef" - - - name: Wait for server to start - run: sleep 10 - - - name: ZAP Baseline Scan - uses: zaproxy/action-baseline@v0.12.0 - with: - target: 'http://localhost:3000' - fail_action: false - cmd_options: '-a' From 28165f27767c75929117c4642db3c433bd69835d Mon Sep 17 00:00:00 2001 From: Aditya948351 Date: Wed, 20 May 2026 11:14:56 +0530 Subject: [PATCH 6/6] fix: use official nuclei-action instead of manual install --- .github/workflows/nuclei-scan.yml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/.github/workflows/nuclei-scan.yml b/.github/workflows/nuclei-scan.yml index 4d27c3fc..67d22de2 100644 --- a/.github/workflows/nuclei-scan.yml +++ b/.github/workflows/nuclei-scan.yml @@ -48,20 +48,12 @@ jobs: sleep 2 done - - name: Install Nuclei - run: | - wget -q https://github.com/projectdiscovery/nuclei/releases/download/v3.3.8/nuclei_3.3.8_linux_amd64.zip - unzip -q nuclei_3.3.8_linux_amd64.zip - sudo mv nuclei /usr/local/bin/ - nuclei -version - - name: Run Nuclei Scan - run: | - nuclei -u http://localhost:3000 \ - -tags exposure,misconfig,headers,tech \ - -severity low,medium,high,critical \ - -o nuclei-results.txt \ - -no-color || true + uses: projectdiscovery/nuclei-action@v2 + with: + target: http://localhost:3000 + flags: "-tags exposure,misconfig,headers,tech -severity low,medium,high,critical" + output: nuclei-results.txt - name: Upload Nuclei Results uses: actions/upload-artifact@v4